Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 824574 - net-vpn/openconnect DTLS handshake failed
Summary: net-vpn/openconnect DTLS handshake failed
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal
Assignee: Mike Gilbert
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-18 18:30 UTC by Ilyas B Arinov
Modified: 2021-11-19 22:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ilyas B Arinov 2021-11-18 18:30:46 UTC
Updating my system a month ago gives me this issue with any openconnect connections:

DTLS handshake failed: Resource temporarily unavailable, try again.
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)
DTLS handshake failed: Resource temporarily unavailable, try again.
DTLS handshake failed: Error in the push function.
(Is a firewall preventing you from sending UDP packets?)

I tried to disable firewalld, no effect.
Loosing connection.

Please, check openconnect again.
Comment 1 Ilyas B Arinov 2021-11-18 18:40:00 UTC
Portage 3.0.28 (python 3.9.8-final-0, default/linux/amd64/17.1/desktop/systemd, gcc-11.2.0, glibc-2.33-r7, 5.10.76-gentoo-r1-x86_64 x86_64)
=================================================================
System uname: Linux-5.10.76-gentoo-r1-x86_64-x86_64-AMD_Ryzen_5_4500U_with_Radeon_Graphics-with-glibc2.33
KiB Mem:    32295872 total,  25913664 free
KiB Swap:   63509500 total,  63509500 free
Timestamp of repository gentoo: Thu, 18 Nov 2021 08:00:01 +0000
Head commit of repository gentoo: bdffa54771aabf15cee4ebde6a23ab96188043cf
Head commit of repository tlp: 96db20c75e0f9a934013a77c573f16b8d598f193

sh bash 5.1_p8
ld GNU ld (Gentoo 2.37_p1 p0) 2.37
app-shells/bash:          5.1_p8::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.34.0-r3::gentoo
dev-lang/python:          3.8.12_p1::gentoo, 3.9.8::gentoo
dev-lang/rust:            1.56.1::gentoo
dev-util/cmake:           3.20.5::gentoo
sys-apps/baselayout:      2.7-r3::gentoo
sys-apps/sandbox:         2.25::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.71-r1::gentoo
sys-devel/automake:       1.16.4::gentoo
sys-devel/binutils:       2.37_p1::gentoo
sys-devel/gcc:            11.2.0::gentoo
sys-devel/gcc-config:     2.4::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers)
sys-libs/glibc:           2.33-r7::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-jobs: 1
    sync-rsync-extra-opts:
    sync-rsync-verify-max-age: 24

tlp
    location: /var/db/repos/tlp
    sync-type: git
    sync-uri: https://github.com/dywisor/tlp-portage
    masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS="https://ftp.linux.org.tr/gentoo/ rsync://ftp.linux.org.tr/gentoo-distfiles/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 bluetooth branding bzip2 cairo cdda cdr cli crypt cups dbus dri dts dvd dvdr emboss encode exif flac fortran gdbm gif gpm gui iconv icu ipv6 jpeg lcms libglvnd libnotify libtirpc mad mng mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio readline sdl seccomp spell split-usr ssl startup-notification svg systemd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64" ADA_TARGET="gnat_2019" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS
Comment 2 Mike Gilbert gentoo-dev 2021-11-18 19:04:05 UTC
With net-vpn/openconnect-8.10-r6[gnutls] and net-libs/gnutls-3.7.2, I get this message when connecting to a Cisco device:

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Set up UDP failed; using SSL instead
Connected as 10.170.243.158, using SSL, with DTLS disabled

With net-vpn/openconnect-8.10-r6[-gnutls] and dev-libs/openssl-1.1.1l-r1, it works fine:

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 10.170.243.177, using SSL, with DTLS in progress
Established DTLS connection (using OpenSSL). Ciphersuite DTLSv1.2-DHE-RSA-AES256-SHA256.

Can you try rebuilding net-vpn/openconnect with the gnutls USE flag disabled?
Comment 3 Mike Gilbert gentoo-dev 2021-11-18 19:47:38 UTC
net-vpn/opneconnect-9999[gnutls] also works fine.

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(DHE-CUSTOM)-(AES-256-CBC)-(SHA1).
Configured as 10.170.243.179, with SSL connected and DTLS connected
Comment 4 Ilyas B Arinov 2021-11-18 23:16:04 UTC
(In reply to Mike Gilbert from comment #3)
> net-vpn/opneconnect-9999[gnutls] also works fine.
> 
> Got CONNECT response: HTTP/1.1 200 OK
> CSTP connected. DPD 30, Keepalive 20
> Established DTLS connection (using GnuTLS). Ciphersuite
> (DTLS1.2)-(DHE-CUSTOM)-(AES-256-CBC)-(SHA1).
> Configured as 10.170.243.179, with SSL connected and DTLS connected

X-CSTP-MSIE-Proxy-Lockdown: true
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-MTU: 1300
X-CSTP-Routing-Filtering-Ignore: false
X-CSTP-Quarantine: false
X-CSTP-Disable-Always-On-VPN: false
X-CSTP-Client-Bypass-Protocol: false
X-CSTP-TCP-Keepalive: true
X-CSTP-Post-Auth-XML: <elided>
CSTP connected. DPD 30, Keepalive 20
Connected as 10.170.241.15, using SSL, with DTLS disabled

Thanks for solution.
Tried to rebuild without gnutls and saw the same messages. Turned gnutls back and now I am trying to live without DTLS enabled and verbose. Need some time to observe connection status.

A couple of minutes looks promising:

Send CSTP Keepalive
Send CSTP Keepalive
Send CSTP DPD
Got CSTP DPD response
Send CSTP Keepalive
Send CSTP DPD
Got CSTP DPD response
Send CSTP Keepalive
Send CSTP Keepalive
Send CSTP DPD
Got CSTP DPD response

I will mark this issue as resolved and reopen it, if something bad will happen with my connection. Looks like disabling DTLS works for me.
Comment 5 Ilyas B Arinov 2021-11-19 10:22:20 UTC
Working a while with this settings I noticed a problem. After making connection with openconnect and approx. 30 minutes later, 2 DNS servers disappeared from /etc/resolv.conf. So I need to reconnect again to bring DNS working back. Is it openconnect related problem and my new settings consequences?
Comment 6 Mike Gilbert gentoo-dev 2021-11-19 20:38:04 UTC
As far as I know, openconnect does not update resolv.conf after the initial connection.